Complete Guide
🔥 Advanced

Internal Penetration Testing Methodology

A comprehensive guide to internal network penetration testing, covering Active Directory attacks, lateral movement, privilege escalation, and enterprise infrastructure compromise. Follows the PTES framework with MITRE ATT&CK mappings throughout.

🚀 New to Internal Pentesting?

Before starting, make sure you're comfortable with these prerequisites:

  • Active Directory fundamentals (domains, trusts, GPOs)
  • TCP/IP networking, DNS, DHCP, SMB
  • Windows & Linux command-line proficiency
  • Kerberos & NTLM authentication basics
  • PowerShell scripting fundamentals
  • A practice lab environment (AD, Linux, network segments)

Recommended reading order: Start with Phase 01 (Pre-Engagement) and work sequentially. Reconnaissance findings feed scanning, scanning output drives enumeration, and enumeration reveals exploitation paths. Each phase builds on the previous.

PTES Methodology Mapping

This guide maps to the Penetration Testing Execution Standard (PTES) phases with MITRE ATT&CK alignment:

PTES Phase Guide Section MITRE ATT&CK Est. Time
Pre-engagement Interactions Phase 01 1–2 days
Intelligence Gathering Phase 02 (Reconnaissance) TA0043 Reconnaissance 2–4 hours
Scanning & Enumeration Phase 03–04 TA0007 Discovery 4–8 hours
Exploitation Phase 05 (16 attack guides) TA0001, TA0006, TA0008 3–7 days
Post-Exploitation Phase 06 (8 post-exploit guides) TA0004, TA0003, TA0010 2–3 days
Reporting Phase 07 2–4 days
Red Team Operations Phase 09 (Advanced) TA0005, TA0011 Ongoing

What You'll Learn

  • Active Directory enumeration & attacks
  • Credential harvesting techniques
  • Kerberos & NTLM exploitation
  • Lateral movement & pivoting
  • Privilege escalation paths
  • Domain dominance techniques

Methodology Overview

Attack Lifecycle
7 PHASES
01
📋

Pre-Engagement

  • Scoping
  • Authorization
  • Rules of Engagement
02
🔍

Reconnaissance

  • Network Discovery
  • AD Enumeration
  • Asset Mapping
03
📡

Scanning

  • Port Scanning
  • Service Detection
  • Vulnerability Scan
04
🗂️

Enumeration

  • SMB/LDAP
  • Kerberos
  • Database Enum
05
💥

Exploitation

  • Credential Attacks
  • Relay/Kerberos
  • Initial Access
06
🎯

Post-Exploitation

  • Privilege Escalation
  • Lateral Movement
  • Domain Dominance
07
📊

Reporting

  • Evidence Collection
  • Executive Summary
  • Technical Report
Planning
Discovery
Exploitation
Post-Exploit
Documentation

Guide Sections

01

Pre-Engagement

Scoping, authorization, rules of engagement, network architecture review

Beginner
↓ Signed authorization & scope feeds into →
02

Reconnaissance

Internal network discovery, AD enumeration, infrastructure mapping

Beginner
↓ Network topology, domain info & user lists feed into →
03

Scanning

Host discovery, port scanning, service identification, OS fingerprinting

Intermediate
↓ Open ports, services & OS info feed into →
04

Enumeration

SMB, LDAP, Kerberos, DNS, database, and cloud service enumeration

Intermediate
↓ Users, shares, SPNs, ACLs & misconfigs feed into →
05

Exploitation

Credential attacks, relay, Kerberos, ADCS, delegation, hybrid identity — 16 attack guides

Advanced
↓ Credentials, tickets & session access feed into →
06

Post-Exploitation

Privilege escalation, persistence, domain dominance, DLL hijacking, credential harvesting

Advanced
↓ All findings, evidence & artifacts feed into →
07

Reporting

Evidence collection, risk assessment, findings documentation, remediation
08

Tools

30+ essential tools: NetExec, BloodHound, Rubeus, Sliver, Certipy & more
09

Red Team Operations

C2 frameworks, EDR bypass, payload development, OPSEC, adversary simulation

Advanced

Quick Start Checklist

Minimum tests per phase — use as a pre-engagement sanity check or quick reference during assessments.

Network Discovery
  • ☐ Subnet discovery (Nmap ping sweep, ARP scan)
  • ☐ Service enumeration (Nmap -sV -sC)
  • ☐ SMB shares & null sessions
  • ☐ SNMP community string brute-force
Credential Attacks
  • ☐ Password spraying (NetExec / DomainPasswordSpray)
  • ☐ LLMNR/NBT-NS poisoning (Responder)
  • ☐ NTLM relay (ntlmrelayx → LDAP/SMB)
  • ☐ AS-REP Roasting (GetNPUsers.py)
Active Directory
  • ☐ BloodHound collection & path analysis
  • ☐ ACL/DACL abuse (GenericAll, WriteDacl)
  • ☐ ADCS misconfiguration (Certipy find)
  • ☐ Delegation abuse (unconstrained/RBCD)
Kerberos
  • ☐ Kerberoasting (GetUserSPNs.py / Rubeus)
  • ☐ Silver/Golden Ticket feasibility
  • ☐ S4U delegation chain testing
  • ☐ Shadow Credentials (Certipy/pywhisker)
Lateral Movement & PrivEsc
  • ☐ PtH / PtT with NetExec / Rubeus
  • ☐ WinRM / PSExec / DCOM lateral moves
  • ☐ Token impersonation (Potato variants)
  • ☐ Credential dumping (LSASS, SAM, DPAPI)
Post-Exploitation
  • ☐ DCSync (secretsdump.py)
  • ☐ LAPS / gMSA password extraction
  • ☐ Persistence mechanism identification
  • ☐ Cloud/hybrid identity assessment
Red Team
  • ☐ C2 establishment (Sliver/Havoc/Cobalt Strike)
  • ☐ EDR evasion validation
  • ☐ Payload development & delivery
  • ☐ OPSEC artifact review
Reporting
  • ☐ Screenshot all critical findings
  • ☐ Timestamp attack chain steps
  • ☐ Executive summary with business impact
  • ☐ Verify remediation recommendations

⚠️ Legal Disclaimer

Internal penetration testing requires explicit written authorization. Unauthorized access to computer systems is illegal. Always ensure proper scope documentation and rules of engagement before beginning any assessment.

Related Guides & Resources

AD Attack Paths

Kerberos, delegation, ACL abuse, ADCS

Wireless Pentesting

WiFi attacks for initial access

Physical Security

Physical access and social engineering

Post-Exploitation Cheatsheet

Quick reference for lateral movement

Lab Setup

Build your own AD lab environment

Reporting Templates

Internal pentest report formats